MWR实验室公布Android系统0day漏洞可绕过Android沙箱

谷歌真是风波不断——近期,MWR实验室的研究人员又发现一个0day漏洞。这个漏洞存在于安卓系统中Google Admin应用程序处理一些URL的方式中,攻击者甚至可以通过这个漏洞绕过沙箱机制。MWR实验室在报告中提到了该漏洞原理:当Google Admin应用程序接收到一个URL,并且该URL是通过同一设备上任何其他应用的IPC调用接收时,Admin程序会将这个URL加载到它活动内的 Webview中。这时若攻击者使用一个file:// URL链接到他们所控制的文件,那么就可以使用符号链接绕过同源策略,并接收到Admin沙箱中的数据。

据悉,MWR实验室在今年3月就向谷歌报告了这个漏洞,谷歌则很快反馈说他们将在6月份发布针对该漏洞的补丁,然而直到现在这个补丁也未见踪影。于是在上周,MWR实验室通知谷歌表示他们“忍无可忍无须再忍”,并最终在周四公开了这份报告。

高冷的谷歌依旧并没有对此事发表评论。

对安全漏洞爱答不理,看来谷歌真是全心修炼起名大法了?

对此,MWR实验室建议那些带有Google Admin应用的手机用户:不要安装不可信的第三方APP。

自从今年6月谷歌推出了“安卓安全奖励”计划之后,各家似乎对谷歌的找漏热情更上一层楼。尤其是最近一个月以来,谷歌的安全技术团队估计早就忘了什么叫风平浪静的日子。不知道MWR实验室这次拿不拿得到奖励呢,因为按照谷歌的规定,漏洞在被告知谷歌以前便公之于众,就无法获得奖金喽。

以上转载自:http://www.leiphone.com/      想了解漏洞详情的还是看原文吧:

Sandbox bypass through Google Admin WebView

An issue was found in Google’s Android Admin application that allowed other applications on the device to bypass sandbox restrictions to read arbitrary files through the use of .

The advisory can be downloaded here.

Description

An issue was found when the Google Admin application received a URL via an IPC call from any other application on the same device. The Admin application would load this URL in a webview within its own activity. If an attacker used a file://URL to a file that they controlled, then it is possible to use symbolic links to bypass Same Origin Policy and retrieve data out of the Google Admin sandbox

Impact

A malicious application on the same device as the Google Admin application is able to read data out of any file within the Google Admin sandbox, bypassing the .

Cause

The Google Admin application (com.google.android.apps.enterprise.cpanel), has an exported activity that accepts an extra string calledsetup_url. This can be triggered by any application on the device creating a new intent with the data-uri set to http://localhost/foo and the setup_url string set to a file url that they can write to, such as file://data/data/com.themalicious.app/worldreadablefile.html

The ResetPinActivity will then load this in the WebView under the privileges of the Google Admin application.

The attacker adds HTML in to their world readable file, which includes an iframe that will load the world readable file again within the frame after a 1 second delay. The Google Admin application loads this file and renders it into its WebView.

Next the attacker deletes the world readable file and replaces it with a symbolic link of the same name that points to a file in the Google Admin sandbox.

After one second the iframe in the WebView will load the file, which will now point to one of its own files. Because the parent and child frames have the same URL, the Same Origin Policy allows the parent frame to query the contents of the child frame. This means that the HTML that the attacker controls can read from the files loaded into the iframe and extract their data.

Interim Workaround

Devices with Google Admin installed should not install any untrusted third party applications.

Solution

No updated version has been released as of the time of publication

Technical Details

Refer to attached detailed advisory above.

Detailed Timeline

Date Summary
17/03/2015 Issue disclosed to Google Security team
18/03/2015 Issue acknowledged by Google Security team
20/05/2015 MWR request update from Google Security team, Google Security team reply asking for 2 weeks to allow for update to be released
02/06/2015 MWR request update
18/06/2015 Google Security acknowledge they have exceeded their own 90 day deadline and request a delay on releasing details until July
05/08/2015 MWR announce to Google intention to disclose issue
13/08/2015 Advisory published

以上转载自:https://labs.mwrinfosecurity.com/advisories/2015/08/13/sandbox-bypass-through-google-admin-webview/

详细的漏洞分析在这里:

https://labs.mwrinfosecurity.com/system/assets/1021/original/mwri-advisory_sandbox_bypass_through_google_admin_webview.pdf